diff --git a/SOURCES/CVE-2015-7560-v4-2.patch b/SOURCES/CVE-2015-7560-v4-2.patch
new file mode 100644
index 0000000..687ee8a
--- /dev/null
+++ b/SOURCES/CVE-2015-7560-v4-2.patch
@@ -0,0 +1,1144 @@
+From a91cf9a5648184d39aa87e06d484b3d533aeefdb Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 5 Jan 2016 11:18:12 -0800
+Subject: [PATCH 01/12] CVE-2015-7560: s3: smbd: Add refuse_symlink() function
+ that can be used to prevent operations on a symlink.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+---
+ source3/smbd/trans2.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
+index 41e1bb1..b9865fd 100644
+--- a/source3/smbd/trans2.c
++++ b/source3/smbd/trans2.c
+@@ -54,6 +54,34 @@ static char *store_file_unix_basic_info2(connection_struct *conn,
+ files_struct *fsp,
+ const SMB_STRUCT_STAT *psbuf);
+
++/****************************************************************************
++ Check if an open file handle or pathname is a symlink.
++****************************************************************************/
++
++static NTSTATUS refuse_symlink(connection_struct *conn,
++ const files_struct *fsp,
++ const char *name)
++{
++ SMB_STRUCT_STAT sbuf;
++ const SMB_STRUCT_STAT *pst = NULL;
++
++ if (fsp) {
++ pst = &fsp->fsp_name->st;
++ } else {
++ int ret = vfs_stat_smb_basename(conn,
++ name,
++ &sbuf);
++ if (ret == -1) {
++ return map_nt_error_from_unix(errno);
++ }
++ pst = &sbuf;
++ }
++ if (S_ISLNK(pst->st_ex_mode)) {
++ return NT_STATUS_ACCESS_DENIED;
++ }
++ return NT_STATUS_OK;
++}
++
+ /********************************************************************
+ The canonical "check access" based on object handle or path function.
+ ********************************************************************/
+--
+1.9.1
+
+
+From cd950ca41df5076c8622cdf9be0e0db165b992f1 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 5 Jan 2016 10:38:28 -0800
+Subject: [PATCH 02/12] CVE-2015-7560: s3: smbd: Refuse to get an ACL from a
+ POSIX file handle on a symlink.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+---
+ source3/smbd/nttrans.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
+index 4423a44..8113909 100644
+--- a/source3/smbd/nttrans.c
++++ b/source3/smbd/nttrans.c
+@@ -1905,6 +1905,13 @@ NTSTATUS smbd_do_query_security_desc(connection_struct *conn,
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
++ if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
++ DEBUG(10, ("ACL get on symlink %s denied.\n",
++ fsp_str_dbg(fsp)));
++ TALLOC_FREE(frame);
++ return NT_STATUS_ACCESS_DENIED;
++ }
++
+ if (security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|
+ SECINFO_GROUP|SECINFO_SACL)) {
+ /* Don't return SECINFO_LABEL if anything else was
+--
+1.9.1
+
+
+From b95ded07aec97c31c69f49f691d5f90fdee40f92 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 5 Jan 2016 10:52:50 -0800
+Subject: [PATCH 03/12] CVE-2015-7560: s3: smbd: Refuse to set an ACL from a
+ POSIX file handle on a symlink.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+---
+ source3/smbd/nttrans.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
+index 8113909..372d420 100644
+--- a/source3/smbd/nttrans.c
++++ b/source3/smbd/nttrans.c
+@@ -875,6 +875,12 @@ NTSTATUS set_sd(files_struct *fsp, struct security_descriptor *psd,
+ return NT_STATUS_OK;
+ }
+
++ if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
++ DEBUG(10, ("ACL set on symlink %s denied.\n",
++ fsp_str_dbg(fsp)));
++ return NT_STATUS_ACCESS_DENIED;
++ }
++
+ if (psd->owner_sid == NULL) {
+ security_info_sent &= ~SECINFO_OWNER;
+ }
+--
+1.9.1
+
+
+From 35abb608ce57efea1bc197b7d65f9347f9533f23 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 5 Jan 2016 11:22:12 -0800
+Subject: [PATCH 04/12] CVE-2015-7560: s3: smbd: Refuse to set a POSIX ACL on a
+ symlink.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+---
+ source3/smbd/trans2.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
+index b9865fd..a5eeda8 100644
+--- a/source3/smbd/trans2.c
++++ b/source3/smbd/trans2.c
+@@ -6745,6 +6745,7 @@ static NTSTATUS smb_set_posix_acl(connection_struct *conn,
+ uint16 num_def_acls;
+ bool valid_file_acls = True;
+ bool valid_def_acls = True;
++ NTSTATUS status;
+
+ if (total_data < SMB_POSIX_ACL_HEADER_SIZE) {
+ return NT_STATUS_INVALID_PARAMETER;
+@@ -6772,6 +6773,11 @@ static NTSTATUS smb_set_posix_acl(connection_struct *conn,
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
++ status = refuse_symlink(conn, fsp, smb_fname->base_name);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
++
+ DEBUG(10,("smb_set_posix_acl: file %s num_file_acls = %u, num_def_acls = %u\n",
+ smb_fname ? smb_fname_str_dbg(smb_fname) : fsp_str_dbg(fsp),
+ (unsigned int)num_file_acls,
+--
+1.9.1
+
+
+From 95c3bf9102440cf299312acc0d0a89afebf0474e Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 5 Jan 2016 11:24:36 -0800
+Subject: [PATCH 05/12] CVE-2015-7560: s3: smbd: Refuse to get a POSIX ACL on a
+ symlink.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+---
+ source3/smbd/trans2.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
+index a5eeda8..8ea49f1e 100644
+--- a/source3/smbd/trans2.c
++++ b/source3/smbd/trans2.c
+@@ -5248,6 +5248,13 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn,
+ uint16 num_file_acls = 0;
+ uint16 num_def_acls = 0;
+
++ status = refuse_symlink(conn,
++ fsp,
++ smb_fname->base_name);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
++
+ if (fsp && fsp->fh->fd != -1) {
+ file_acl = SMB_VFS_SYS_ACL_GET_FD(fsp,
+ talloc_tos());
+--
+1.9.1
+
+
+From c7ea0914d3b4a3deaf31a742c6edf4c6e7a91939 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 5 Jan 2016 11:05:48 -0800
+Subject: [PATCH 06/12] CVE-2015-7560: s3: smbd: Set return values early,
+ allows removal of code duplication.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+---
+ source3/smbd/trans2.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
+index 8ea49f1e..35a0ba2 100644
+--- a/source3/smbd/trans2.c
++++ b/source3/smbd/trans2.c
+@@ -238,11 +238,12 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ size_t num_names;
+ ssize_t sizeret = -1;
+
++ if (pnames) {
++ *pnames = NULL;
++ }
++ *pnum_names = 0;
++
+ if (!lp_ea_support(SNUM(conn))) {
+- if (pnames) {
+- *pnames = NULL;
+- }
+- *pnum_names = 0;
+ return NT_STATUS_OK;
+ }
+
+@@ -292,10 +293,6 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
+
+ if (sizeret == 0) {
+ TALLOC_FREE(names);
+- if (pnames) {
+- *pnames = NULL;
+- }
+- *pnum_names = 0;
+ return NT_STATUS_OK;
+ }
+
+--
+1.9.1
+
+
+From 142a3050ec9875501b4f5693792d133bc5c3331a Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 5 Jan 2016 11:29:38 -0800
+Subject: [PATCH 07/12] CVE-2015-7560: s3: smbd: Silently return no EA's
+ available on a symlink.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+---
+ source3/smbd/trans2.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
+index 35a0ba2..29e28bd 100644
+--- a/source3/smbd/trans2.c
++++ b/source3/smbd/trans2.c
+@@ -237,6 +237,7 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ char **names, **tmp;
+ size_t num_names;
+ ssize_t sizeret = -1;
++ NTSTATUS status;
+
+ if (pnames) {
+ *pnames = NULL;
+@@ -247,6 +248,14 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ return NT_STATUS_OK;
+ }
+
++ status = refuse_symlink(conn, fsp, fname);
++ if (!NT_STATUS_IS_OK(status)) {
++ /*
++ * Just return no EA's on a symlink.
++ */
++ return NT_STATUS_OK;
++ }
++
+ /*
+ * TALLOC the result early to get the talloc hierarchy right.
+ */
+--
+1.9.1
+
+
+From 08cf63d886b2f59f94a749089b73599330cee0e7 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 5 Jan 2016 11:33:48 -0800
+Subject: [PATCH 08/12] CVE-2015-7560: s3: smbd: Refuse to set EA's on a
+ symlink.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+---
+ source3/smbd/trans2.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
+index 29e28bd..aaaa5f4 100644
+--- a/source3/smbd/trans2.c
++++ b/source3/smbd/trans2.c
+@@ -659,6 +659,11 @@ NTSTATUS set_ea(connection_struct *conn, files_struct *fsp,
+ return NT_STATUS_EAS_NOT_SUPPORTED;
+ }
+
++ status = refuse_symlink(conn, fsp, smb_fname->base_name);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
++
+ status = check_access(conn, fsp, smb_fname, FILE_WRITE_EA);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+--
+1.9.1
+
+
+From 259fec336cee663044d7e107a3dfce6264f20e84 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Wed, 6 Jan 2016 17:17:24 -0800
+Subject: [PATCH 09/12] CVE-2015-7560: s3: libsmb: Rename cli_posix_getfaclXX()
+ functions to cli_posix_getacl() as they operate on pathnames.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+---
+ source3/client/client.c | 2 +-
+ source3/libsmb/clifile.c | 30 +++++++++++++++---------------
+ source3/libsmb/proto.h | 6 +++---
+ 3 files changed, 19 insertions(+), 19 deletions(-)
+
+diff --git a/source3/client/client.c b/source3/client/client.c
+index 67cc359..a8e5338 100644
+--- a/source3/client/client.c
++++ b/source3/client/client.c
+@@ -3376,7 +3376,7 @@ static int cmd_getfacl(void)
+ return 1;
+ }
+
+- status = cli_posix_getfacl(targetcli, targetname, ctx, &rb_size, &retbuf);
++ status = cli_posix_getacl(targetcli, targetname, ctx, &rb_size, &retbuf);
+ if (!NT_STATUS_IS_OK(status)) {
+ d_printf("%s getfacl file %s\n",
+ nt_errstr(status), src);
+diff --git a/source3/libsmb/clifile.c b/source3/libsmb/clifile.c
+index 61cb8b5..ff646e4 100644
+--- a/source3/libsmb/clifile.c
++++ b/source3/libsmb/clifile.c
+@@ -590,25 +590,25 @@ NTSTATUS cli_posix_hardlink(struct cli_state *cli,
+ }
+
+ /****************************************************************************
+- Do a POSIX getfacl (UNIX extensions).
++ Do a POSIX getacl - pathname based ACL get (UNIX extensions).
+ ****************************************************************************/
+
+-struct getfacl_state {
++struct getacl_state {
+ uint32_t num_data;
+ uint8_t *data;
+ };
+
+-static void cli_posix_getfacl_done(struct tevent_req *subreq);
++static void cli_posix_getacl_done(struct tevent_req *subreq);
+
+-struct tevent_req *cli_posix_getfacl_send(TALLOC_CTX *mem_ctx,
++struct tevent_req *cli_posix_getacl_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct cli_state *cli,
+ const char *fname)
+ {
+ struct tevent_req *req = NULL, *subreq = NULL;
+- struct getfacl_state *state = NULL;
++ struct getacl_state *state = NULL;
+
+- req = tevent_req_create(mem_ctx, &state, struct getfacl_state);
++ req = tevent_req_create(mem_ctx, &state, struct getacl_state);
+ if (req == NULL) {
+ return NULL;
+ }
+@@ -617,16 +617,16 @@ struct tevent_req *cli_posix_getfacl_send(TALLOC_CTX *mem_ctx,
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+- tevent_req_set_callback(subreq, cli_posix_getfacl_done, req);
++ tevent_req_set_callback(subreq, cli_posix_getacl_done, req);
+ return req;
+ }
+
+-static void cli_posix_getfacl_done(struct tevent_req *subreq)
++static void cli_posix_getacl_done(struct tevent_req *subreq)
+ {
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+- struct getfacl_state *state = tevent_req_data(
+- req, struct getfacl_state);
++ struct getacl_state *state = tevent_req_data(
++ req, struct getacl_state);
+ NTSTATUS status;
+
+ status = cli_qpathinfo_recv(subreq, state, &state->data,
+@@ -638,12 +638,12 @@ static void cli_posix_getfacl_done(struct tevent_req *subreq)
+ tevent_req_done(req);
+ }
+
+-NTSTATUS cli_posix_getfacl_recv(struct tevent_req *req,
++NTSTATUS cli_posix_getacl_recv(struct tevent_req *req,
+ TALLOC_CTX *mem_ctx,
+ size_t *prb_size,
+ char **retbuf)
+ {
+- struct getfacl_state *state = tevent_req_data(req, struct getfacl_state);
++ struct getacl_state *state = tevent_req_data(req, struct getacl_state);
+ NTSTATUS status;
+
+ if (tevent_req_is_nterror(req, &status)) {
+@@ -654,7 +654,7 @@ NTSTATUS cli_posix_getfacl_recv(struct tevent_req *req,
+ return NT_STATUS_OK;
+ }
+
+-NTSTATUS cli_posix_getfacl(struct cli_state *cli,
++NTSTATUS cli_posix_getacl(struct cli_state *cli,
+ const char *fname,
+ TALLOC_CTX *mem_ctx,
+ size_t *prb_size,
+@@ -679,7 +679,7 @@ NTSTATUS cli_posix_getfacl(struct cli_state *cli,
+ goto fail;
+ }
+
+- req = cli_posix_getfacl_send(frame,
++ req = cli_posix_getacl_send(frame,
+ ev,
+ cli,
+ fname);
+@@ -693,7 +693,7 @@ NTSTATUS cli_posix_getfacl(struct cli_state *cli,
+ goto fail;
+ }
+
+- status = cli_posix_getfacl_recv(req, mem_ctx, prb_size, retbuf);
++ status = cli_posix_getacl_recv(req, mem_ctx, prb_size, retbuf);
+
+ fail:
+ TALLOC_FREE(frame);
+diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
+index 2efb208..f5f35e0 100644
+--- a/source3/libsmb/proto.h
++++ b/source3/libsmb/proto.h
+@@ -256,15 +256,15 @@ NTSTATUS cli_posix_hardlink(struct cli_state *cli,
+ const char *newname);
+ uint32_t unix_perms_to_wire(mode_t perms);
+ mode_t wire_perms_to_unix(uint32_t perms);
+-struct tevent_req *cli_posix_getfacl_send(TALLOC_CTX *mem_ctx,
++struct tevent_req *cli_posix_getacl_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct cli_state *cli,
+ const char *fname);
+-NTSTATUS cli_posix_getfacl_recv(struct tevent_req *req,
++NTSTATUS cli_posix_getacl_recv(struct tevent_req *req,
+ TALLOC_CTX *mem_ctx,
+ size_t *prb_size,
+ char **retbuf);
+-NTSTATUS cli_posix_getfacl(struct cli_state *cli,
++NTSTATUS cli_posix_getacl(struct cli_state *cli,
+ const char *fname,
+ TALLOC_CTX *mem_ctx,
+ size_t *prb_size,
+--
+1.9.1
+
+
+From d9054880d4bdbcb05c677e494906a26d62afa3a1 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Wed, 6 Jan 2016 17:02:52 -0800
+Subject: [PATCH 10/12] CVE-2015-7560: s3: libsmb: Add SMB1-only POSIX
+ cli_posix_setacl() functions. Needed for tests.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+---
+ source3/libsmb/clifile.c | 100 +++++++++++++++++++++++++++++++++++++++++++++++
+ source3/libsmb/proto.h | 11 ++++++
+ 2 files changed, 111 insertions(+)
+
+diff --git a/source3/libsmb/clifile.c b/source3/libsmb/clifile.c
+index ff646e4..e4480c6 100644
+--- a/source3/libsmb/clifile.c
++++ b/source3/libsmb/clifile.c
+@@ -701,6 +701,106 @@ NTSTATUS cli_posix_getacl(struct cli_state *cli,
+ }
+
+ /****************************************************************************
++ Do a POSIX setacl - pathname based ACL set (UNIX extensions).
++****************************************************************************/
++
++struct setacl_state {
++ uint8_t *data;
++};
++
++static void cli_posix_setacl_done(struct tevent_req *subreq);
++
++struct tevent_req *cli_posix_setacl_send(TALLOC_CTX *mem_ctx,
++ struct tevent_context *ev,
++ struct cli_state *cli,
++ const char *fname,
++ const void *data,
++ size_t num_data)
++{
++ struct tevent_req *req = NULL, *subreq = NULL;
++ struct setacl_state *state = NULL;
++
++ req = tevent_req_create(mem_ctx, &state, struct setacl_state);
++ if (req == NULL) {
++ return NULL;
++ }
++ state->data = talloc_memdup(state, data, num_data);
++ if (tevent_req_nomem(state->data, req)) {
++ return tevent_req_post(req, ev);
++ }
++
++ subreq = cli_setpathinfo_send(state,
++ ev,
++ cli,
++ SMB_SET_POSIX_ACL,
++ fname,
++ state->data,
++ num_data);
++ if (tevent_req_nomem(subreq, req)) {
++ return tevent_req_post(req, ev);
++ }
++ tevent_req_set_callback(subreq, cli_posix_setacl_done, req);
++ return req;
++}
++
++static void cli_posix_setacl_done(struct tevent_req *subreq)
++{
++ NTSTATUS status = cli_setpathinfo_recv(subreq);
++ tevent_req_simple_finish_ntstatus(subreq, status);
++}
++
++NTSTATUS cli_posix_setacl_recv(struct tevent_req *req)
++{
++ return tevent_req_simple_recv_ntstatus(req);
++}
++
++NTSTATUS cli_posix_setacl(struct cli_state *cli,
++ const char *fname,
++ const void *acl_buf,
++ size_t acl_buf_size)
++{
++ TALLOC_CTX *frame = talloc_stackframe();
++ struct tevent_context *ev = NULL;
++ struct tevent_req *req = NULL;
++ NTSTATUS status = NT_STATUS_OK;
++
++ if (smbXcli_conn_has_async_calls(cli->conn)) {
++ /*
++ * Can't use sync call while an async call is in flight
++ */
++ status = NT_STATUS_INVALID_PARAMETER;
++ goto fail;
++ }
++
++ ev = samba_tevent_context_init(frame);
++ if (ev == NULL) {
++ status = NT_STATUS_NO_MEMORY;
++ goto fail;
++ }
++
++ req = cli_posix_setacl_send(frame,
++ ev,
++ cli,
++ fname,
++ acl_buf,
++ acl_buf_size);
++ if (req == NULL) {
++ status = NT_STATUS_NO_MEMORY;
++ goto fail;
++ }
++
++ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
++ goto fail;
++ }
++
++ status = cli_posix_setacl_recv(req);
++
++ fail:
++ TALLOC_FREE(frame);
++ return status;
++}
++
++/****************************************************************************
+ Stat a file (UNIX extensions).
+ ****************************************************************************/
+
+diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
+index f5f35e0..08dda96 100644
+--- a/source3/libsmb/proto.h
++++ b/source3/libsmb/proto.h
+@@ -269,6 +269,17 @@ NTSTATUS cli_posix_getacl(struct cli_state *cli,
+ TALLOC_CTX *mem_ctx,
+ size_t *prb_size,
+ char **retbuf);
++struct tevent_req *cli_posix_setacl_send(TALLOC_CTX *mem_ctx,
++ struct tevent_context *ev,
++ struct cli_state *cli,
++ const char *fname,
++ const void *acl_buf,
++ size_t acl_buf_size);
++NTSTATUS cli_posix_setacl_recv(struct tevent_req *req);
++NTSTATUS cli_posix_setacl(struct cli_state *cli,
++ const char *fname,
++ const void *acl_buf,
++ size_t acl_buf_size);
+ struct tevent_req *cli_posix_stat_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct cli_state *cli,
+--
+1.9.1
+
+
+From 5de774189a4e7be050c67d06f450a498d90d4368 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 7 Jan 2016 12:58:34 -0800
+Subject: [PATCH 11/12] CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-ACL
+ test.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+---
+ selftest/knownfail | 1 +
+ source3/selftest/tests.py | 2 +-
+ source3/torture/torture.c | 198 ++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 200 insertions(+), 1 deletion(-)
+
+diff --git a/selftest/knownfail b/selftest/knownfail
+index fd41263..6696ba3 100644
+--- a/selftest/knownfail
++++ b/selftest/knownfail
+@@ -16,6 +16,7 @@
+ ^samba3.smbtorture_s3.plain\(dc\).UID-REGRESSION-TEST # Fails against the s4 ntvfs server
+ ^samba3.smbtorture_s3.plain\(dc\).SHORTNAME-TEST # Fails against the s4 ntvfs server
+ ^samba3.smbtorture_s3.plain\(dc\).POSIX-APPEND # Fails against the s4 ntvfs server
++^samba3.smbtorture_s3.plain\(ad_dc_ntvfs\).POSIX-SYMLINK-ACL # Fails against the s4 ntvfs server
+ ^samba3.smbtorture_s3.plain\(dc\).NTTRANS-FSCTL # Fails against the s4 ntvfs server
+ ^samba3.smbtorture_s3.plain\(dc\).SMB2-NEGPROT # Fails against the s4 ntvfs server
+ ^samba3.smbtorture_s3.plain\(dc\).BAD-NBT-SESSION # Fails against the s4 ntvfs server
+diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
+index 7279927..e66ddbc 100755
+--- a/source3/selftest/tests.py
++++ b/source3/selftest/tests.py
+@@ -78,7 +78,7 @@ tests = ["RW1", "RW2", "RW3"]
+ for t in tests:
+ plantestsuite("samba3.smbtorture_s3.vfs_aio_fork(simpleserver).%s" % t, "simpleserver", [os.path.join(samba3srcdir, "script/tests/test_smbtorture_s3.sh"), t, '//$SERVER_IP/vfs_aio_fork', '$USERNAME', '$PASSWORD', smbtorture3, "", "-l $LOCAL_PATH"])
+
+-posix_tests = ["POSIX", "POSIX-APPEND"]
++posix_tests = ["POSIX", "POSIX-APPEND", "POSIX-SYMLINK-ACL"]
+
+ for t in posix_tests:
+ plantestsuite("samba3.smbtorture_s3.plain(s3dc).%s" % t, "s3dc", [os.path.join(samba3srcdir, "script/tests/test_smbtorture_s3.sh"), t, '//$SERVER_IP/posix_share', '$USERNAME', '$PASSWORD', smbtorture3, "", "-l $LOCAL_PATH"])
+diff --git a/source3/torture/torture.c b/source3/torture/torture.c
+index 0b37e5c..6c0ab17 100644
+--- a/source3/torture/torture.c
++++ b/source3/torture/torture.c
+@@ -5820,6 +5820,203 @@ static bool run_simple_posix_open_test(int dummy)
+ return correct;
+ }
+
++/*
++ Test POSIX and Windows ACLs are rejected on symlinks.
++ */
++static bool run_acl_symlink_test(int dummy)
++{
++ static struct cli_state *cli;
++ const char *fname = "posix_file";
++ const char *sname = "posix_symlink";
++ uint16_t fnum = (uint16_t)-1;
++ bool correct = false;
++ NTSTATUS status;
++ char *posix_acl = NULL;
++ size_t posix_acl_len = 0;
++ char *posix_acl_sym = NULL;
++ size_t posix_acl_len_sym = 0;
++ struct security_descriptor *sd = NULL;
++ struct security_descriptor *sd_sym = NULL;
++ TALLOC_CTX *frame = NULL;
++
++ frame = talloc_stackframe();
++
++ printf("Starting acl symlink test\n");
++
++ if (!torture_open_connection(&cli, 0)) {
++ TALLOC_FREE(frame);
++ return false;
++ }
++
++ smbXcli_conn_set_sockopt(cli->conn, sockops);
++
++ status = torture_setup_unix_extensions(cli);
++ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(frame);
++ return false;
++ }
++
++ cli_setatr(cli, fname, 0, 0);
++ cli_posix_unlink(cli, fname);
++ cli_setatr(cli, sname, 0, 0);
++ cli_posix_unlink(cli, sname);
++
++ status = cli_ntcreate(cli,
++ fname,
++ 0,
++ READ_CONTROL_ACCESS,
++ 0,
++ FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,
++ FILE_CREATE,
++ 0x0,
++ 0x0,
++ &fnum,
++ NULL);
++
++ if (!NT_STATUS_IS_OK(status)) {
++ printf("cli_ntcreate of %s failed (%s)\n",
++ fname,
++ nt_errstr(status));
++ goto out;
++ }
++
++ /* Get the Windows ACL on the file. */
++ status = cli_query_secdesc(cli,
++ fnum,
++ frame,
++ &sd);
++ if (!NT_STATUS_IS_OK(status)) {
++ printf("cli_query_secdesc failed (%s)\n",
++ nt_errstr(status));
++ goto out;
++ }
++
++ /* Get the POSIX ACL on the file. */
++ status = cli_posix_getacl(cli,
++ fname,
++ frame,
++ &posix_acl_len,
++ &posix_acl);
++
++ if (!NT_STATUS_IS_OK(status)) {
++ printf("cli_posix_getacl failed (%s)\n",
++ nt_errstr(status));
++ goto out;
++ }
++
++ status = cli_close(cli, fnum);
++ if (!NT_STATUS_IS_OK(status)) {
++ printf("close failed (%s)\n", nt_errstr(status));
++ goto out;
++ }
++ fnum = (uint16_t)-1;
++
++ /* Now create a symlink. */
++ status = cli_posix_symlink(cli, fname, sname);
++ if (!NT_STATUS_IS_OK(status)) {
++ printf("cli_posix_symlink of %s -> %s failed (%s)\n",
++ sname,
++ fname,
++ nt_errstr(status));
++ goto out;
++ }
++
++ /* Open a handle on the symlink. */
++ status = cli_ntcreate(cli,
++ sname,
++ 0,
++ READ_CONTROL_ACCESS|SEC_STD_WRITE_DAC,
++ 0,
++ FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,
++ FILE_OPEN,
++ 0x0,
++ 0x0,
++ &fnum,
++ NULL);
++
++ if (!NT_STATUS_IS_OK(status)) {
++ printf("cli_posix_open of %s failed (%s)\n",
++ sname,
++ nt_errstr(status));
++ goto out;
++ }
++
++ /* Get the Windows ACL on the symlink handle. Should fail */
++ status = cli_query_secdesc(cli,
++ fnum,
++ frame,
++ &sd_sym);
++
++ if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
++ printf("cli_query_secdesc on a symlink gave %s. "
++ "Should be NT_STATUS_ACCESS_DENIED.\n",
++ nt_errstr(status));
++ goto out;
++ }
++
++ /* Get the POSIX ACL on the symlink pathname. Should fail. */
++ status = cli_posix_getacl(cli,
++ sname,
++ frame,
++ &posix_acl_len_sym,
++ &posix_acl_sym);
++
++ if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
++ printf("cli_posix_getacl on a symlink gave %s. "
++ "Should be NT_STATUS_ACCESS_DENIED.\n",
++ nt_errstr(status));
++ goto out;
++ }
++
++ /* Set the Windows ACL on the symlink handle. Should fail */
++ status = cli_set_security_descriptor(cli,
++ fnum,
++ SECINFO_DACL,
++ sd);
++
++ if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
++ printf("cli_query_secdesc on a symlink gave %s. "
++ "Should be NT_STATUS_ACCESS_DENIED.\n",
++ nt_errstr(status));
++ goto out;
++ }
++
++ /* Set the POSIX ACL on the symlink pathname. Should fail. */
++ status = cli_posix_setacl(cli,
++ sname,
++ posix_acl,
++ posix_acl_len);
++
++ if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
++ printf("cli_posix_getacl on a symlink gave %s. "
++ "Should be NT_STATUS_ACCESS_DENIED.\n",
++ nt_errstr(status));
++ goto out;
++ }
++
++ printf("ACL symlink test passed\n");
++ correct = true;
++
++ out:
++
++ if (fnum != (uint16_t)-1) {
++ cli_close(cli, fnum);
++ fnum = (uint16_t)-1;
++ }
++
++ cli_setatr(cli, sname, 0, 0);
++ cli_posix_unlink(cli, sname);
++ cli_setatr(cli, fname, 0, 0);
++ cli_posix_unlink(cli, fname);
++
++ if (!torture_close_connection(cli)) {
++ correct = false;
++ }
++
++ TALLOC_FREE(frame);
++ return correct;
++}
++
+
+ static uint32 open_attrs_table[] = {
+ FILE_ATTRIBUTE_NORMAL,
+@@ -9647,6 +9844,7 @@ static struct {
+ {"OPEN", run_opentest, 0},
+ {"POSIX", run_simple_posix_open_test, 0},
+ {"POSIX-APPEND", run_posix_append, 0},
++ {"POSIX-SYMLINK-ACL", run_acl_symlink_test, 0},
+ {"CASE-INSENSITIVE-CREATE", run_case_insensitive_create, 0},
+ {"ASYNC-ECHO", run_async_echo, 0},
+ { "UID-REGRESSION-TEST", run_uid_regression_test, 0},
+--
+1.9.1
+
+
+From 6149e7297d9279df3b535e72eabbede7bd235925 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 7 Jan 2016 14:26:35 -0800
+Subject: [PATCH 12/12] CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-EA
+ test.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+---
+ selftest/knownfail | 1 +
+ source3/selftest/tests.py | 2 +-
+ source3/torture/torture.c | 179 ++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 181 insertions(+), 1 deletion(-)
+
+diff --git a/selftest/knownfail b/selftest/knownfail
+index 6696ba3..c919a6a 100644
+--- a/selftest/knownfail
++++ b/selftest/knownfail
+@@ -17,6 +17,7 @@
+ ^samba3.smbtorture_s3.plain\(dc\).SHORTNAME-TEST # Fails against the s4 ntvfs server
+ ^samba3.smbtorture_s3.plain\(dc\).POSIX-APPEND # Fails against the s4 ntvfs server
+ ^samba3.smbtorture_s3.plain\(ad_dc_ntvfs\).POSIX-SYMLINK-ACL # Fails against the s4 ntvfs server
++^samba3.smbtorture_s3.plain\(ad_dc_ntvfs\).POSIX-SYMLINK-EA # Fails against the s4 ntvfs server
+ ^samba3.smbtorture_s3.plain\(dc\).NTTRANS-FSCTL # Fails against the s4 ntvfs server
+ ^samba3.smbtorture_s3.plain\(dc\).SMB2-NEGPROT # Fails against the s4 ntvfs server
+ ^samba3.smbtorture_s3.plain\(dc\).BAD-NBT-SESSION # Fails against the s4 ntvfs server
+diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
+index e66ddbc..830753c 100755
+--- a/source3/selftest/tests.py
++++ b/source3/selftest/tests.py
+@@ -78,7 +78,7 @@ tests = ["RW1", "RW2", "RW3"]
+ for t in tests:
+ plantestsuite("samba3.smbtorture_s3.vfs_aio_fork(simpleserver).%s" % t, "simpleserver", [os.path.join(samba3srcdir, "script/tests/test_smbtorture_s3.sh"), t, '//$SERVER_IP/vfs_aio_fork', '$USERNAME', '$PASSWORD', smbtorture3, "", "-l $LOCAL_PATH"])
+
+-posix_tests = ["POSIX", "POSIX-APPEND", "POSIX-SYMLINK-ACL"]
++posix_tests = ["POSIX", "POSIX-APPEND", "POSIX-SYMLINK-ACL", "POSIX-SYMLINK-EA"]
+
+ for t in posix_tests:
+ plantestsuite("samba3.smbtorture_s3.plain(s3dc).%s" % t, "s3dc", [os.path.join(samba3srcdir, "script/tests/test_smbtorture_s3.sh"), t, '//$SERVER_IP/posix_share', '$USERNAME', '$PASSWORD', smbtorture3, "", "-l $LOCAL_PATH"])
+diff --git a/source3/torture/torture.c b/source3/torture/torture.c
+index 6c0ab17..34c1a37 100644
+--- a/source3/torture/torture.c
++++ b/source3/torture/torture.c
+@@ -6017,6 +6017,183 @@ static bool run_acl_symlink_test(int dummy)
+ return correct;
+ }
+
++/*
++ Test setting EA's are rejected on symlinks.
++ */
++static bool run_ea_symlink_test(int dummy)
++{
++ static struct cli_state *cli;
++ const char *fname = "posix_file_ea";
++ const char *sname = "posix_symlink_ea";
++ const char *ea_name = "testea_name";
++ const char *ea_value = "testea_value";
++ uint16_t fnum = (uint16_t)-1;
++ bool correct = false;
++ NTSTATUS status;
++ size_t i, num_eas;
++ struct ea_struct *eas = NULL;
++ TALLOC_CTX *frame = NULL;
++
++ frame = talloc_stackframe();
++
++ printf("Starting EA symlink test\n");
++
++ if (!torture_open_connection(&cli, 0)) {
++ TALLOC_FREE(frame);
++ return false;
++ }
++
++ smbXcli_conn_set_sockopt(cli->conn, sockops);
++
++ status = torture_setup_unix_extensions(cli);
++ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(frame);
++ return false;
++ }
++
++ cli_setatr(cli, fname, 0, 0);
++ cli_posix_unlink(cli, fname);
++ cli_setatr(cli, sname, 0, 0);
++ cli_posix_unlink(cli, sname);
++
++ status = cli_ntcreate(cli,
++ fname,
++ 0,
++ READ_CONTROL_ACCESS,
++ 0,
++ FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,
++ FILE_CREATE,
++ 0x0,
++ 0x0,
++ &fnum,
++ NULL);
++
++ if (!NT_STATUS_IS_OK(status)) {
++ printf("cli_ntcreate of %s failed (%s)\n",
++ fname,
++ nt_errstr(status));
++ goto out;
++ }
++
++ status = cli_close(cli, fnum);
++ if (!NT_STATUS_IS_OK(status)) {
++ printf("close failed (%s)\n",
++ nt_errstr(status));
++ goto out;
++ }
++ fnum = (uint16_t)-1;
++
++ /* Set an EA on the path. */
++ status = cli_set_ea_path(cli,
++ fname,
++ ea_name,
++ ea_value,
++ strlen(ea_value)+1);
++
++ if (!NT_STATUS_IS_OK(status)) {
++ printf("cli_set_ea_path failed (%s)\n",
++ nt_errstr(status));
++ goto out;
++ }
++
++ /* Now create a symlink. */
++ status = cli_posix_symlink(cli, fname, sname);
++ if (!NT_STATUS_IS_OK(status)) {
++ printf("cli_posix_symlink of %s -> %s failed (%s)\n",
++ sname,
++ fname,
++ nt_errstr(status));
++ goto out;
++ }
++
++ /* Get the EA list on the path. Should return value set. */
++ status = cli_get_ea_list_path(cli,
++ fname,
++ frame,
++ &num_eas,
++ &eas);
++
++ if (!NT_STATUS_IS_OK(status)) {
++ printf("cli_get_ea_list_path failed (%s)\n",
++ nt_errstr(status));
++ goto out;
++ }
++
++ /* Ensure the EA we set is there. */
++ for (i=0; i<num_eas; i++) {
++ if (strcmp(eas[i].name, ea_name) == 0 &&
++ eas[i].value.length == strlen(ea_value)+1 &&
++ memcmp(eas[i].value.data,
++ ea_value,
++ eas[i].value.length) == 0) {
++ break;
++ }
++ }
++
++ if (i == num_eas) {
++ printf("Didn't find EA on pathname %s\n",
++ fname);
++ goto out;
++ }
++
++ num_eas = 0;
++ TALLOC_FREE(eas);
++
++ /* Get the EA list on the symlink. Should return empty list. */
++ status = cli_get_ea_list_path(cli,
++ sname,
++ frame,
++ &num_eas,
++ &eas);
++
++ if (!NT_STATUS_IS_OK(status)) {
++ printf("cli_get_ea_list_path failed (%s)\n",
++ nt_errstr(status));
++ goto out;
++ }
++
++ if (num_eas != 0) {
++ printf("cli_get_ea_list_path failed (%s)\n",
++ nt_errstr(status));
++ goto out;
++ }
++
++ /* Set an EA on the symlink. Should fail. */
++ status = cli_set_ea_path(cli,
++ sname,
++ ea_name,
++ ea_value,
++ strlen(ea_value)+1);
++
++ if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
++ printf("cli_set_ea_path on a symlink gave %s. "
++ "Should be NT_STATUS_ACCESS_DENIED.\n",
++ nt_errstr(status));
++ goto out;
++ }
++
++ printf("EA symlink test passed\n");
++ correct = true;
++
++ out:
++
++ if (fnum != (uint16_t)-1) {
++ cli_close(cli, fnum);
++ fnum = (uint16_t)-1;
++ }
++
++ cli_setatr(cli, sname, 0, 0);
++ cli_posix_unlink(cli, sname);
++ cli_setatr(cli, fname, 0, 0);
++ cli_posix_unlink(cli, fname);
++
++ if (!torture_close_connection(cli)) {
++ correct = false;
++ }
++
++ TALLOC_FREE(frame);
++ return correct;
++}
+
+ static uint32 open_attrs_table[] = {
+ FILE_ATTRIBUTE_NORMAL,
+@@ -9845,6 +10022,8 @@ static struct {
+ {"POSIX", run_simple_posix_open_test, 0},
+ {"POSIX-APPEND", run_posix_append, 0},
+ {"POSIX-SYMLINK-ACL", run_acl_symlink_test, 0},
++ {"POSIX-SYMLINK-ACL", run_acl_symlink_test, 0},
++ {"POSIX-SYMLINK-EA", run_ea_symlink_test, 0},
+ {"CASE-INSENSITIVE-CREATE", run_case_insensitive_create, 0},
+ {"ASYNC-ECHO", run_async_echo, 0},
+ { "UID-REGRESSION-TEST", run_uid_regression_test, 0},
+--
+1.9.1
+
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index bd88734..003b3e3 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -6,7 +6,7 @@
# ctdb is enabled by default, you can disable it with: --without clustering
%bcond_without clustering
-%define main_release 11
+%define main_release 12
%define samba_version 4.2.3
%define talloc_version 2.1.2
@@ -121,6 +121,7 @@ Patch8: samba-CVE-2015-3223.patch
Patch9: samba-CVE-2015-5299.patch
Patch10: samba-CVE-2015-5252.patch
Patch11: samba-CVE-2015-5296.patch
+Patch12: CVE-2015-7560-v4-2.patch
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
@@ -705,6 +706,7 @@ and use CTDB instead.
%patch9 -p1 -b .samba-CVE-2015-5299.patch
%patch10 -p1 -b .samba-CVE-2015-5252.patch
%patch11 -p1 -b .samba-CVE-2015-5296.patch
+%patch12 -p1 -b .CVE-2015-7560-v4-2.patch
%build
%global _talloc_lib ,talloc,pytalloc,pytalloc-util
@@ -2001,6 +2003,9 @@ rm -rf %{buildroot}
%endif # with_clustering_support
%changelog
+* Fri Mar 04 2016 Andreas Schneider <asn@redhat.com> - 4.2.3-12
+- resolves: #1314672 - Fix CVE-2015-7560
+
* Fri Dec 11 2015 Guenther Deschner <gdeschner@redhat.com> - 4.2.3-11
- resolves: #1290710
- CVE-2015-3223 Remote DoS in Samba (AD) LDAP server